Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
Create an account
Join our community for free to access exclusive whitepapers, reports, and regulatory information.
Lithuania: VDAI fines Vinted €2.38M for violation of data processing principles
On July 3, 2024, the State Data Protection Inspectorate (VDAI) published its decision of July 2, 2024, in which it imposed a fine of €2,385,276 on Vinted UAB for violating the General Data Protection Regulation (GDPR) following data subject complaints.
Background to the decision
The VDAI highlighted that it received complaints forwarded by the French data protection authority (CNIL) and the Polish data protection authority (UODO) in 2021 and 2022 alleging that Vinted had not properly implemented data subject erasure and access requests.
Findings of the VDAI
Following its investigation, the VDAI held that Vinted had implemented 'shadow blocking,' whereby Vinted platform users were made to leave the platform for violating the platform's principles without them being made aware of such processing of their personal data. The VDAI noted that the implementation of the above mechanisms violated the principles of fairness and transparency and negatively impacted the ability of users to exercise their data subject rights under the GDPR. Accordingly, the VDAI found Vinted to have violated Article 5(1)(a) of the GDPR regarding the principles of lawfulness, fairness, and transparency.
In addition, the VDAI found that in one case Vinted did not take sufficient technical and organizational measures to ensure the implementation of the principle of accountability to demonstrate that it had taken action regarding the right of access. As such, the VDAI determined Vinted to have violated Article 5(2) of the GDPR in relation to the principle of accountability. The VDAI also found that Vinted did not provide sufficient detailed information when denying right-to-be-forgotten requests from blocked users. Vinted further failed to provide all the reasons for inaction related to the data subject request and the purposes for which the data subject's data would continue to be processed. Therefore, Vinted was found to have violated Articles 12(1) and 12(4) of the GDPR in relation to the failure to provide transparent information, communication, and conditions for the exercise of data subject rights.
The VDAI clarified that it took the European Data Protection Board's (EDPB) Guidelines 04/2022 on the calculation of administrative fines into account.
Outcomes
In conclusion, Vinted was fined €2,385,276 for the above violations.
You can read the decision here.
Send us your Feedback!
Please let us know what you think of DataGuidance! It will only take 60 seconds and help us make the site better for you.
